[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSec SA DELETE in "dangling" implementation
> -----Original Message-----
> From: Slava Kavsan [mailto:bkavsan@ire-ma.com]
> Sent: November 30, 1999 11:46 AM
> To: ipsec
> Subject: IPSec SA DELETE in "dangling" implementation
>
>
> Here is the dilemma: if "dangling" implementation wants to
> send IPSec SA
> DELETE message, while the "parent" IKE SA is no longer there
> (expired or
> deleted), the alternatives are (and I do not like either of them):
>
> a) do not send DELETE
> b) re-negotiate IKE SA before sending DELETE
>
> Any suggestions?
>
>
>
I think you've pretty much captured it. However, b) is
preferable to a).
We might note that if you've re-keyed the phase 2 SA
that you're about to delete, and if you move to the
newest phase 2 SA as soon as possible, the probability
that the phase 1 SA is not there should be low, since
the time difference between a re-key and a delete of a
phase 2 SA is small.
This is probably the most normal of circumstances, so
the situation you describe should not be as common as
needing to re-negotiate phase 1 for the purposes of
re-keying.
Bottom line: attempt b), else a).
Follow-Ups: